def writedb(data): try: config = getinfo(filename) conn = mysql.connector.connect(**config) cur = conn.cursor() # sql = 'desc ids_info' attacktype = data[u'attack_type'] hostname = data[u'hostname'] status = int(data[u'status']) method = data[u'method'] url = data[u'url'] baseurl = base64.b64encode(url) if method.lower() == 'post': post = data[u'post'] basepost = base64.b64encode(post) # write to db if method.lower() == 'get': insertsql1 = 'insert into ids_info(attack_type, hostname, status, method, url ) ' \ 'values("%s", "%s", %d, "%s", "%s")' % (attacktype, hostname, status, method, baseurl) cur.execute(insertsql1) conn.commit() elif method.lower() == 'post': insertsql2 = 'insert into ids_info(attack_type, hostname, status, method, url, postdata ) ' \ 'values("%s", "%s", %d, "%s", "%s", "%s")' % (attacktype, hostname, status, method, baseurl, basepost) # print insertsql2 cur.execute(insertsql2) conn.commit() else: print 'what?' # result_set = cur.fetchall() # print result_set conn.close() except Exception as e: record_err.logrecord()
def deldupl(idsdata): try: duplicatedfile = 'logs/duplicate_attack.txt' duplicateother = 'logs/duplicate_otheratt.txt' dupedfile = open(duplicatedfile, 'a') # load list # print load_write_listfile.checkfile(), here get a large list! attackedlist = sur_load_listfile.checkfile() # filereadlist, xsslist, sqlilist, cvelist, iislist, urlscanlist, cmdexelist, scanlist, xxelist = \ # sur_load_listfile.checkfile() count = 0 # tmp means hostname and url, join the new url+host and match if it is in the loaded list if 'hostname' in idsdata.keys() and 'url' in idsdata.keys(): tmp = idsdata['hostname'] + idsdata['url'] if tmp not in attackedlist: attackedlist.append(tmp) dupedfile.write(str(idsdata) + '\n') dupedfile.close() sur_load_listfile.writelist(attackedlist) else: dupofile = open(duplicateother, 'a') dupofile.write(str(idsdata) + '\n') dupofile.close() except Exception as e: record_err.logrecord()
def readfile(startid=1): try: id = startid config = getinfo(filename) conn = mysql.connector.connect(**config) cur = conn.cursor() readsql = 'select attack_type, hostname, url, method, status, postdata from ids_info where id = %d' % startid cur.execute(readsql) # get info result = cur.fetchall() if len(result) > 0: attack_type = result[0][0] hostname = result[0][1] url = result[0][2] method = result[0][3] status = result[0][4] postdata = result[0][5] else: print 'mysql info error' if attack_type == u'文件读取': catfileread(id, hostname, url, method, status, postdata) else: # process other attack_type pass except Exception as e: record_err.logrecord()
def filecount(logfile): try: stats, output = commands.getstatusoutput('wc -l %s' % (logfile)) count = int(output.split()[0]) return count except Exception as e: record_err.logrecord()
def count(self): #返回文件行数 try: status, output = commands.getstatusoutput('wc -l %s' %self.filepath) output = output.split() return int(output[0]) except Exception as e: record_err.logrecord()
def writelist(attackedlist): """ write the new list to file! """ try: file1 = open(filelist, 'w') file1.write(str(attackedlist)) except Exception as e: record_err.logrecord()
def content_process(id, content): try: if len(content) < 10: result = 'N' return id, result else: print content except Exception as e: record_err.logrecord()
def readfile(content): # change str to dict try: # print content, type(content) dict_content = eval(content) if dict_content[u'hostname'] != u'www.jiedaibao.com': read_file_mysql_delsame.catagory(dict_content) except Exception as e: record_err.logrecord()
def test(): try: print 'hello' print '似懂非懂分sdfdfdf' \ 'sabc', \ 'sdf' content = ('hello sdfsdf' '2sdf') print content except Exception as e: record_err.logrecord() test2()
def writedb(data): try: #"注意一些字段担心有特殊字符无法写入db,进行了base64编码" data = eval(data) config = getinfo(myfile) conn = mysql.connector.connect(**config) cur = conn.cursor() # sql = 'desc ids_info' # url, useragent, postdata, need base64code status = data['status'] catagory = data['catagory'] alert = data['alert'] postdata = base64.b64encode(data['postdata']) url = base64.b64encode(data['url']) hostname = base64.b64encode(data['hostname']) # datetime = data['datetime'] method = data['method'] # srcip = data['src_ip'] # srcport = data['src_port'] # dstip = data['dest_ip'] dstport = data['dest_port'] length = data['length'] if 'useragent' in data.keys(): useragent = base64.b64encode(data['useragent']) else: useragent = '' if 'xff' in data.keys(): xff = data['xff'] else: xff = '' if 'payload' in data.keys(): payload = data['payload'] else: payload = '' insertsql = 'insert into httpattack(catagory, dstport, hostname, url, method, length, useragent, \ postdata, payload, status) values("%s" ,"%s", "%s", "%s", "%s", "%s", "%s", "%s", "%s", "%s")' \ %(catagory, dstport, hostname, url, method, length, useragent, postdata, payload, status) # print insertsql cur.execute(insertsql) conn.commit() # elif method.lower() == 'post': # insertsql2 = 'insert into ids_info(attack_type, hostname, status, method, url, postdata ) ' \ # 'values("%s", "%s", %d, "%s", "%s", "%s")' % (attacktype, hostname, status, method, baseurl, basepost) # # print insertsql2 # cur.execute(insertsql2) # conn.commit() # else: # print 'what?' # # result_set = cur.fetchall() # # print result_set conn.close() except Exception as e: record_err.logrecord()
def filename(logfile, file_count, startline): try: # 控制读取次数 for i in range(file_count - startline + 1): content = linecache.getline(logfile, startline) readfile(content) startline += 1 # 已处理到多少行 linecache.clearcache() return startline - 1 except Exception as e: record_err.logrecord()
def loadlist(filelist): try: attackedlist = [] # print filelist file1 = open(filelist) content = file1.readlines() if len(content) != 0: tmp = content[0] attackedlist = eval(tmp) return attackedlist except Exception as e: record_err.logrecord()
def getinfo(filename): try: file = open(filename, 'r') config = {} content = file.readlines() for i in range(len(content)): tmp = content[i].split(':') key = tmp[0] value = tmp[1].split('\n')[0] config[key] = value return config except Exception as e: record_err.logrecord()
def getcount(): try: # get msyql line number config = getinfo(myconf) conn = mysql.connector.connect(**config) cur = conn.cursor() linecount = 'select count(id) from httpattack ' cur.execute(linecount) result = cur.fetchall() return int(result[0][0]) cur.close() conn.close() except Exception as e: record_err.logrecord()
def check(id, hostname, url, method, status, postdata): try: result1 = '' result2 = '' # print id, hostname, url, method, status, postdata # print type(id), type(hostname), type(url), type(method), type(status), type(postdata) url = base64.b64decode(url) headers = {'user-agent': 'Chrome/60.0.3112.113 Safarids24/537.36'} if method.lower() == 'post': postdata = base64.b64decode(postdata) # print postdata if method.lower() == 'get': httpurl = 'http://' + hostname + url httpsurl = 'https://' + hostname + url try: r1 = requests.get(httpurl, headers=headers) except: r1 = '' if r1 is not '': tmp1 = str(r1) tmp2 = tmp1.split() httpstatus = tmp2[1] if httpstatus: if re.search('200', httpstatus): httpcontent = r1.text id, result1 = content_process(id, httpcontent) try: r2 = requests.get(httpsurl, headers=headers, verify=False) except: r2 = '' if r2 is not '': print r2 result = '' tmp3 = str(r2) tmp4 = tmp3.split() httpsstatus = tmp4[1] if httpsstatus: if re.search('200', httpsstatus): httpscontent = r2.text id, result2 = content_process(id, httpscontent) if result1 is not '': print id, result1 elif result2 is not '': print id, result2 elif result1 is '' and result2 is '': print id, 'cannot open!' else: pass except Exception as e: record_err.logrecord()
def checkfile(): try: count = 0 filecount = len(filelist) for i in range(len(filelist)): result = os.path.exists(filelist) if result is False: commands.getstatusoutput('touch %s' % filelist) result = os.path.exists(filelist) if result is True: count += 1 elif result is True: count += 1 if count == filecount: return loadlist(filelist) except Exception as e: record_err.logrecord()
def fileinfo(logfile, start_line=1): try: # 获取文件行数 file_count = filecount(logfile) processed_line = filename(logfile, file_count, start_line) while 1: file_record = open('/tmp/file_no.txt', 'a') file_count = filecount(logfile) if file_count > processed_line: processed_line = filename(logfile, file_count, processed_line + 1) # record the last processed line number file_record.write(str(processed_line)) file_record.close() time.sleep(3) except Exception as e: record_err.logrecord()
def getuntestline(): try: # get the untest id count = getcount() for i in range(count): config = getinfo(myconf) conn = mysql.connector.connect(**config) cur = conn.cursor() readsql = 'select id from httpattack where attack_status is NULL limit %d,1' % i cur.execute(readsql) result = cur.fetchall() id = result[0][0] # return id cur.close() conn.close() readfile(id) except Exception as e: record_err.logrecord()
def catagory(attack_data): try: duplicatedfile = '/tmp/duplicate_attack.txt' dupfile = open(duplicatedfile, 'a') # load list # print load_write_listfile.checkfile() filereadlist, xsslist, sqlilist = load_write_listfile.checkfile() count = 0 # tmp means hostname and url, join the new url+host and match if it is in the loaded list tmp = attack_data[u'url'] + attack_data[u'hostname'] if attack_data[u'attack_type'] == u'文件读取' and attack_data[ u'status'] == 200: # global filereadlist if tmp not in filereadlist: filereadlist.append(tmp) write_todb.writedb(attack_data) dupfile.write(str(attack_data)) count += 1 # print attack_data elif attack_data[u'attack_type'] == u'XSS攻击' and attack_data[ u'status'] == 200: # global xsslist if tmp not in xsslist: xsslist.append(tmp) write_todb.writedb(attack_data) dupfile.write(str(attack_data)) count += 1 elif attack_data[u'attack_type'] == u'SQL注入': # global sqlinject if tmp not in sqlilist: sqlilist.append(tmp) write_todb.writedb(attack_data) dupfile.write(str(attack_data)) count += 1 else: pass if count > 0: # write the new list to file dupfile.close() load_write_listfile.writelist(filereadlist, xsslist, sqlilist) except Exception as e: record_err.logrecord()
def readfile(content): # change str to dict try: new_dict = {} # if content is json str, convert to dict con_dict = json.loads(content) # get http attack type and info if con_dict[u'subproto']: if con_dict[u'subproto'] == 'http': new_dict[u'attack_type'] = con_dict[u'attack_type'] new_dict[u'hostname'] = con_dict[u'hostname'] new_dict[u'url'] = con_dict[u'url'] new_dict[u'method'] = con_dict[u'method'] new_dict[u'status'] = con_dict[u'status'] if con_dict[u'method'] == 'POST': new_dict[u'post'] = con_dict[u'postdata'] attack_deliver.catagory(new_dict) # else , pass except Exception as e: record_err.logrecord()
def readfile(startid = 1): try: id = startid config = getinfo(myconf) conn = mysql.connector.connect(**config) cur = conn.cursor() readsql = 'select catagory, hostname, url, method, status, postdata, payload, dstport from httpattack where id = %d' % startid cur.execute(readsql) # get info result = cur.fetchall() if len(result) > 0: # "get data from db is unicode" catagory = str(result[0][0]) hostname = str(base64.b64decode(result[0][1])) url = str(base64.b64decode(result[0][2])) method = str(result[0][3]) status = str(result[0][4]) postdata = str(result[0][5]) payload = str(result[0][6]) dstport = str(result[0][7]) if len(payload) > 0: payload = str(base64.b64decode(payload)) if method.lower() == 'post': if len(postdata) > 0: postdata = str(base64.b64decode(postdata)) else: print 'mysql info error' if catagory == u'read_file': #需要判断是否需要登录 # print hostname, url, dstport, method, postdata, status check_fileread_attack.checkstatus(id, hostname, url, method, status, postdata) # catfileread(id, hostname, url, method, status, postdata) else: # process other attack_type pass except Exception as e: record_err.logrecord()
class Attack(object): try: def __init__(self, data): self.data = data self.data['result'] = '' # 结果有攻击成功(succesd)、攻击失败(failed)、未知(unknown) def whitecheck(self): file = open('conf/whitelist.txt', 'r') rule = eval(file.readline()) if 'hostname' in self.data.keys(): if self.data['hostname'] in rule['whitelist']: self.data['result'] = 'uncheck' return self.data else: return 0 else: return 0 # print type(self.data), self.data def result(self): pass #返回检测结果 def statuscheck(self): #状态检查,如果返回1则代表返回非200,否则返回0,没有status或者返回200 #1 代表非200等,页面无法正常返回,一般代表页面无法打开,0代表需要进一步测试 if 'status' in self.data.keys(): #判断status是否为空值 if self.data['status'] != '': if self.data['status'] < 200 or self.data['status'] > 299: return 1 else: return 0 else: return 0 else: return 0 def scancheck(self): pass def cvecheck(self): pass def iischeck(self): pass def xsscheck(self): pass def readfile(self): status = self.statuscheck() if status == 1: self.data['result'] = 'failed' return self.data else: #这里需要一个白名单,检测返回结果,在白名单里面的失败 url = self.data['url'] url = url.replace('\/', '/') #因为里面有转译字符,需要将转译字符取消 header = { 'user-agent': 'Chrome/60.0.3112.113 Safarids24/537.36' } hostname = self.data['hostname'] httpurl = 'http://' + hostname + url httpsurl = 'https://' + hostname + url #需要进行实际测试,先判断方法 if self.data['method'].lower() == 'get': r1 = requests.get(httpurl, headers=header) r2 = requests.get(httpsurl, headers=header, verify=False) if r1.content.find('请求异常') >= 0: print 'failed' elif r1.content.find('系统错误') >= 0: print 'failed' elif r1.content.find('Bad Request') >= 0: print 'failed' else: print r1.content elif self.data['method'].lower() == 'post': pass else: pass print self.data['method'] self.data['result'] = 'uncheck' #return self.data except Exception as e: record_err.logrecord()
pass elif newcontent['attacktype'] == u'url扫描': pass elif newcontent['attacktype'] == u'命令执行': pass elif newcontent['attacktype'] == u'文件读取': checkresult = attack.readfile() elif newcontent['attacktype'] == u'sql注入': pass elif newcontent['attacktype'] == u'url扫描': pass else: pass else: #这里代表检测完毕,可以输出到文本了 pass # print checkresult # Attackengine.Attack(newcontent) except: log.write(str(fromline) + 'line is finished!\n') continue log.close() else: print fromline time.sleep(10) readfile = File(syspath, fromline) filelines = readfile.count() except Exception as e: record_err.logrecord()
def readfile(content): # change str to dict try: #"otherattackfile 记录的是非http流量" otherattackfile = open('logs/other_attack.txt', 'a') new_dict = {} new_dict['status'] = '' new_dict['postdata'] = '' new_dict['payload'] = '' new_dict['method'] = '' new_dict['length'] = '' # if content is json str, convert to dict con_dict = json.loads(content) # otherattackfile.write(str(con_dict)) # otherattackfile.write('\n') # check if content is http or not conkey = con_dict.keys() if u'http' in conkey: new_dict['http'] = (con_dict[u'http']) if u'status' in new_dict['http'].keys(): new_dict['status'] = str(new_dict[u'http'][u'status']) if u'http_user_agent' in new_dict['http'].keys(): new_dict['useragent'] = str( new_dict[u'http'][u'http_user_agent']) if u'url' in new_dict['http'].keys(): new_dict['url'] = str(new_dict[u'http'][u'url']) if u'hostname' in new_dict['http'].keys(): new_dict['hostname'] = str(new_dict[u'http'][u'hostname']) if u'xff' in new_dict['http'].keys(): new_dict['xff'] = str(new_dict[u'http'][u'xff']) if u'http_method' in new_dict['http'].keys(): new_dict['method'] = str(new_dict[u'http'][u'http_method']) if u'request_body' in new_dict['http'].keys(): new_dict['postdata'] = str(new_dict[u'http'][u'request_body']) if u'length' in new_dict['http'].keys(): new_dict['length'] = str(new_dict[u'http'][u'length']) if u'src_ip' in conkey: new_dict['src_ip'] = str(con_dict[u'src_ip']) if u'src_port' in conkey: new_dict['src_port'] = str(con_dict[u'src_port']) if u'dest_ip' in conkey: new_dict['dest_ip'] = str(con_dict[u'dest_ip']) if u'dest_port' in conkey: new_dict['dest_port'] = str(con_dict[u'dest_port']) if u'timestamp' in conkey: new_dict['datetime'] = str(con_dict[u'timestamp']) if u'alert' in conkey: new_dict['alert'] = str(con_dict[u'alert'][u'signature']) if u'payload' in conkey: new_dict['payload'] = str(con_dict[u'payload']) new_dict.pop('http') # debug test catagory(new_dict) # debug leave @ 20170930 # httpattackfile.write(str(con_dict)) # httpattackfile.write('\n') # httpattackfile.close() else: pass # print con_dict otherattackfile.write(str(con_dict)) otherattackfile.write('\n') otherattackfile.close() # return except Exception as e: record_err.logrecord()
def catagory(idsdata): try: attack_type = 0 other_alert = open('logs/other_alert.txt', 'a') httpcatafile = open('logs/http_cat.txt', 'a') idsdata['catagory'] = '' alert = idsdata['alert'] # CVE if 'CVE' in alert: idsdata['catagory'] = 'cve_attack' # read file elif 'read File' in alert: idsdata['catagory'] = 'read_file' elif 'aexp2.htr access' in alert: idsdata['catagory'] = 'read_file' elif 'EXPLOIT .htr access' in alert: idsdata['catagory'] = 'read_file' elif '.htaccess access' in alert: idsdata['catagory'] = 'read_file' elif '.ida access' in alert: idsdata['catagory'] = 'read_file' elif '.idq access' in alert: idsdata['catagory'] = 'read_file' elif 'idq attempt' in alert: idsdata['catagory'] = 'read_file' elif 'ida attempt' in alert: idsdata['catagory'] = 'read_file' elif '.asa access' in alert: idsdata['catagory'] = 'read_file' elif 'viewcode access' in alert: idsdata['catagory'] = 'read_file' elif 'printenv access' in alert: idsdata['catagory'] = 'read_file' elif 'fpcount access' in alert: idsdata['catagory'] = 'read_file' elif 'mod_gzip_status access' in alert: idsdata['catagory'] = 'read_file' elif 'executable downloader high likelihood' in alert: idsdata['catagory'] = 'read_file' elif '.cnf access' in alert: idsdata['catagory'] = 'read_file' elif 'Tomcat directory traversal attempt' in alert: idsdata['catagory'] = 'read_file' elif 'phpinfo access' in alert: idsdata['catagory'] = 'read_file' elif 'cnf access' in alert: idsdata['catagory'] = 'read_file' # xxe elif 'XXE' in alert: idsdata['catagory'] = 'xxe_attack' # iis elif 'EXPLOIT iisadmpwd' in alert: idsdata['catagory'] = 'iis_attack' elif 'iissamples access' in alert: idsdata['catagory'] = 'iis_attack' elif 'ASP file access' in alert: idsdata['catagory'] = 'iis_attack' # xss elif 'Cross Site Scripting' in alert: idsdata['catagory'] = 'xss_attack' # url scan elif 'administrator access' in alert: idsdata['catagory'] = 'url_scan' # sql inject elif 'SQL Errors in HTTP 200' in alert: idsdata['catagory'] = 'sql_inject' # command execute elif 'Access to /phppath/php' in alert: idsdata['catagory'] = 'cmd_execute' elif 'System Command' in alert: idsdata['catagory'] = 'cmd_execute' elif 'PHP config option' in alert: idsdata['catagory'] = 'cmd_execute' elif 'PHP tags in HTTP' in alert: idsdata['catagory'] = 'cmd_execute' elif 'perl command attempt' in alert: idsdata['catagory'] = 'cmd_execute' # scanner elif 'SCAN Nessus' in alert: idsdata['catagory'] = 'scanner' else: attack_type = 1 #"这里记录的是没有被规则命中的" other_alert.write(str(idsdata)) other_alert.write('\n') return # here need back to the next line if attack_type == 0: httpcatafile.write(str(idsdata)) httpcatafile.write('\n') # deldupl(idsdata) except Exception as e: record_err.logrecord()